0

I have a two-parter:
I set up a LAN to LAN VPN yesterday (following this juniper kb article) and it was almost working, so I found another guide and went through the process of making route entries for the static IP addresses, after that everything was working fine. This morning, I got up and it was no longer functional.

Upon further inspecting the settings, I found that my routing entries didn't look quite right. On site-A's firewall I used the settings:

  • site-B's Static IP (let's say 12.345.67.89) which is the IP address I can ping
  • Subnet mask 30
  • Gateway site-A's Static IP (987.654.32.10)
  • Interface e0/0

I reversed these settings for site-B, though site-A's subnet is different.

The problem is that the routes come up with a different IP/Netmask entry, where on site-A settings, site-B's Static IP reads 12.345.67.87. Similarly, site-B's settings read site-A's Static IP as: 987.654.32.08. In short, the issue is that the last two digits of the IP address is 2 less than what I initially entered.

  1. Is it normal for the ip addresses to display differently like that?
  2. Does anyone have any suggestions as to why my VPN is no longer functional?

Note
Using just the Juniper KB article, I am able to create an almost functional VPN where both firewalls report an Active tunnel. Also, my DHCP server (a Windows machine) shows entries for the workstations on site-B, but I cannot ping them nor can they browse the internet, ping me, or access their networked drives (which are hosted at site-A).

Both sites use a Juniper SSG5 firewall

Thanks in advance for any help!

Edit - Providing more information

From any computer on site-A, I can ping two private IP addresses that are on site-B: 172.16.100.50 which is the interface ip address for bgroup0 on the site-B firewall and 172.16.100.53 which is a workstation that the site-B office can't seem to physically locate.

From any computer on site-B, pinging a private IP addresses on site-A (172.16.10.12) gets no reply.

When logged into either firewall via PuTTY I cannot ping any of the LAN ip addresses (eg pinging from site-A to site-B 172.16.100.56, and pinging from site-B to site-A 172.16.10.12), but I can ping the static WAN IP addresses of each device.

The 2nd article that I reference suggests that I needed to also create routes for the static IP WAN addresses, those are the addresses that I'm referring to in my OP. The netmasks that I'm using I obtained from each site's ISP. Site-A's netmask is 29 and Site-B's netmask is 30

Kyle
  • 141
  • 1
  • 7

1 Answers1

0

Didn't I answer your questions the other day in regards to this? Was the question deleted?

The CIDR entries you created would set it that way because of the mask.

If you are putting a mask of /30 then technically the first one (albeit the 2nd octect isn't valid) should be similar to:

12.0.67.88 - 12.0.67.91, with .88 as the route/network and .89 and .90 valid hosts and .91 the broadcast address.

You need to make sure your subnets and routing entries follow proper subnetting.

In short for setting up the VPN:

  1. Setup the tunnel with the two WAN addresses, ike settings, etc.
  2. Setup the routes - each side should have routes to the remote sides LAN subnets with the gateway being the tunnel
  3. The policies should be setup to allow traffic from the local LAN subnets to the remote LAN subnets and vice versa...this should be done on by FWs.

EDIT:

OK, after looking at the diagram here's what I see:

FOR THE TUNNEL ITSELF:

  • It looks fine. You don't really need the Proxy ID settings (at least it appears you have some with the Local and remote IP ranges), but if you do, that's fine.

FOR THE POLICIES:

  • You should have two sets of policies, one for "TRUST TO UNTRUST" and matching bidrectional policies for "UNTRUST TO TRUST". You should setup policy elements for the 2 LANs on both firewalls. Something like "Florida LAN" = 172.16.100.0/24 and "Michigan LAN" = 172.16.10.0/24.
  • Then the policies on the Michigan side should be "TRUST TO UNTRUST" Source = "Michigan LAN", Destination "Florida LAN", Service = ANY, Action = TUNNEL, Tunnel = "Florida VPN", check the box for "matching bidirectional policy". That should create a TRUST TO UNTRUST and an UNTRUST TO TRUST policy on the Michigan SSG5 to tunnel. You will want to create the same thing on the Florida side, this time with source being "Florida LAN" and destination being "Michigan LAN", but same type of policy (action=tunnel, tunnel=Michigan VPN)

FOR THE ROUTES:

MICHIGAN SSG5 (note: I'm assuming you have only one WAN link, and that the current default route 0.0.0.0 points to the gateway being 108.245.51.86):

  • trust-vr should have an entry for the local LAN to know how to get to it. Make sure there is a "172.16.10.0/24 with gateway 172.16.10.1 there or at least a "C" meaning connected in protocol entry for that 172.16.10.0/24.

FLORIDA SSG5 (same note as the Michigan one)

  • trust-vr should have an entry for the local LAN to know how to get to it. Make sure there is a "172.16.100.0/24 with gateway 172.16.100.50 there or at least a "C" meaning connected in protocol entry for that 172.16.100.0/24.

All that said...

  1. You don't need static routing entries for your WAN ISP connections.

  2. I think your main problem comes down to the fact that your Florida LAN subnet is 172.16.100.0/24 but your bgroup1 ip is 172.16.100.50 which is in the middle of that subnet, ideal would be for it to be 172.16.100.1 and not .50. On BOTH sides, make sure the workstations default gateway is correct. For the Michigan side they should be all set to 172.16.10.1 and on the Florida side they should be set to 172.16.100.50.

Assuming all of the SSG5 vpn, policy, and routing entries are correct, I'm betting the problem lies right there, with the default gateways on the computers.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
  • Yes you were helping me the other day and thank you very much for doing so, as well as providing input today. I'm sorry, I did delete the post, I was told that I'm not supposed to have a question with a long comment thread. Also, I was getting confused as the problem seemed to grow. When I follow the three steps that you have listed (which are very similar to the kb article), I cannot get site-B online and they cannot access their mapped network drives. I've provided an Edit to the OP, if you could read it and give me your thoughts I'd be very grateful – Kyle May 02 '12 at 18:06
  • If you can provide a network drawing with LANs, switch IPs, firewall IPs/ports, etc. then I can provide you more detail. Otherwise, you'll probably need to reach out to Juniper TAC if you don't already know how to setup flow filters and debug traffic to see what is happening. – TheCleaner May 02 '12 at 19:09
  • Thank you, I will make a diagram and add it to another comment with a link. – Kyle May 02 '12 at 19:26
  • I've created the diagram and added it as an edit to the op. I didn't include policy information, but I'm certain I have that correct. Please let me know if there's anything else you need. – Kyle May 02 '12 at 20:39
  • I've updated my answer. – TheCleaner May 03 '12 at 14:14
  • Got it working!
    Couple of notes: I couldn't set the policies to route because the tunnel.1 interface was bound to the VPN already. I'm not really concerned with that, I figure it's because if I had the ability to, it'd be blurring the lines between a route-based and policy-based vpn.
    My solution evolved around what you suggested with the bgroup1 ip (172.16.100.50).
    I deleted that dhcp scope (which started at that ip) and built a new scope. Then I changed the ip in the firewall. Site-B is reporting internet and networked drives work!
    Thanks so much for your help!     – Kyle May 03 '12 at 16:11